This strain of malware already existed before, since a couple of years ago.
Malpedia has a dump of whitepapers about it and
Mitre nicely lists the attacks it can make. Microsoft only made a tweet about Anubis but I don't see any new whitepapers written about it, or new information about Anubis on the news. So I don't think there is a new strain of Anubis in the wild, I think we are just talking about the same old version.
Also, it doesn't only target cryptocurrency wallets, it grabs anything with financial value, so that means passwords, credit cards, and just about anything else you'd expect malware to steal. So while I don't think it's safe to copy private keys or seed phrases on such systems, if you obfuscate and scramble your keys before storing them on such infected systems (it could be as simple as encoding it in hexadecimal or base64) then I believe the command-and-control operators running Anubis will be confused and not know what this data represents, and may treat it like junk data.
Anubis rang a bell, and I thought this was old news from at least 2018/2019, when a banking targeting malware was on the loose.
It does ring a bell,
{Warning}: Cerberus Android Malware Can Bypass 2FA, Unlock Devices Remotely.
If we are going by the flow, it was supposedly a fork of Loki, so back tracking, the mode of attack is:
So I will assume that the 3rd attack vector is what Microsoft Engineers have seen in the wild.
No, Cerberus is not the same malware as Anubis, they have different codebases. And LokiBot is also a different malware from those two, they are developed independently of each other, and when you analyze these three viruses you should treat the as three separate threats as they don't share features unless one dev explicitly copies features from another one, and they may not even be open source making what I said impossible for them to do.
So it's not like there's this combined banking trojan threat that's out to get us all, which is what the media is making it out as. Like I said earlier, news articles don't give out specific details about how malware works.
I also think it is dangerous for the Anubis writers to replay the hacking strategies that LokiBot used, because their methods are already well documented by researchers, like the Trend Micro articles you linked to, so it makes it easier for some enterprise to detect an attempted hack and sanitize their computer systems.
There is an easy killswitch for Anubis, just turn off your phone's gyroscope because it monitors it to see if the phone moves. This is the same killswitch in Cerberus by the way, I think I wrote about that one here before. It's a common test malware authors put in to make sure the malware does not run in security researchers' emulated and hand-crafted Android sandboxes so they can't inspect it for properties and patterns.
So that means if you have an old dumb-phone running Android but it has no gyroscope in it then you cannot be infected by any of these "modern" trojans because they will stop themselves automatically and clean up their traces from your device!
A lot of malware and vulnerabilities can be mitigated by disabling specific programs in your computer. Do any of you know about Powershell? It is a scripting language that's bundled with Windows. Nobody except for developers uses it, and it is also widely used by malware to download themselves onto your computer. You can't turn it off, but you can virtually incapacitate it's ability to run scripts by running this in an Administrator Powershell:
Set-ExecutionPolicy -ExecutionPolicy AllSigned
And to enable it to run scripts again you run:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
This prevents Powershell from running scripts unless they are signed by a centralized certificate issuer, and there's no way a malware author can convince one of them to sign their malware-installing script.
And to stop the vast majority of malware from being able to run their payloads in a Word document, you should disable VBScript*, another Windows scripting language that is both ancient and obsolete (and can run on Windows even if no programs are installed). Word documents can run VBScript when you interact with them but this can be abused easily. I am disappointed that it is still enabled by default. There is no effort to patch VBScript security holes because it is considered legacy software. VBScript is not used in newer software, partly because there is no documentation about VBscript, and even MS wants you to stop using it.
Here are the registry keys you need to add to completely turn it off (Warning: this might make some programs that have parts of code written a long time ago in VBscript, such as Office, stop working. If that happens, just delete the keys if you created them, or change the values from 0 to 1.)
Here are the steps to be taken to disable the Windows Script Host (WSH) functionality for the current user (step 2-3) and / or for all users (steps 4-5):
Press the WINDOWS + R keys, then type regedit to open the system registry in edit mode.
Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\
Create (if it doesn’t exist already) a new REG_DWORD key, call it Enabled and assign a value of 0 (zero) to it.
Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\
Create (if it doesn’t exist already) a new REG_DWORD key, call it Enabled and assign a value of 0 (zero) to it.
*To put in perspective just how much malware stops working without this, bear in mind that this is the language script kiddies write all of their malware in. So that means it is easy for even them to write malware using VBscript.
Without any scripting systems to run on, it becomes much harder for people to run phishing attacks to download and run arbitrary stuff.
1. never click on any suspicious links specially shortened URL's
This advice is not effective because hackers nowadays put their malware in innocent looking URLs that they send you in email messages along with some normal-looking headline. So it's easy for us to fall bait to it.
